npm · Malicious package advisory
Malware@budetzz/libsignal-node
MAL-2026-4373
Malicious code in @budetzz/libsignal-node (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (c2dbcccc761971dfc5f844f59f362fe32ee1e0b9a3cd91ddd4fc87be5c8b013a) The package is published under the name `@budetzz/libsignal-node`, impersonating the well-known libsignal Signal-protocol library, but the homepage and code are a fork of Baileys (the WhatsApp Web library; `homepage: github.com/whiskeysockets/baileys`). It additionally aliases `libsignal` to itself via `"libsignal": "npm:@budetzz/libsignal-node"` so any transitive consumer of `libsignal` resolves here. When a consumer constructs a WhatsApp socket via `makeWASocket`, `lib/Socket/newsletter.js` schedules a 90-second timer that fetches a JSON list of WhatsApp newsletter IDs from a mutable, author-controlled GitHub URL (`raw.githubusercontent.com/budetzz/mazzbudetzzzzz/refs/heads/main/saluran.json`) and issues a FOLLOW (`newsletterWMexQuery(id, QueryIds.FOLLOW,...)`) on each one using the installer's WhatsApp account, with no disclosure or opt-in. Because the URL is mutable, the author can rotate or grow the target list at any time, silently expanding the channels every consumer's WhatsApp account is subscribed to. In addition, `lib/index.js:37` fetches `raw.githubusercontent.com/z4phdev/client/refs/heads/main/information.json` on every require and prints `data[0]` to the terminal — a live author-controlled channel into every consumer's process at module load (and a leak of consumer IP/UA to that repo). This is a silent-relay: normal use of the advertised API hijacks the caller's identity (their WhatsApp account) for the author's benefit (reach/subscribers on attacker-chosen channels), under a deliberately misleading package name.
Compromised versions (1)
- 2.0.15
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.